Retention Policy
Version 1.0 · Open Beta · EU/GDPR test deployment · Effective date: 18 June 2026
This policy explains how long AiActs keeps major categories of personal data and operational records. It complements the Privacy Policy, Consent Document and External Processors register.
Deletion and anonymisation requests are handled from Account → Privacy & Data. Some records may be retained where required for security, legal claims, accepted-contract evidence or statutory financial duties.
| Data category | Retention rule |
|---|---|
| Account profile and authentication | While the account is active, then anonymised or deleted within 30 days after a valid deletion request unless legal/security retention applies. |
| Assessment inputs and generated reports | While the account is active and needed to provide report history; deleted/anonymised on valid account deletion unless the user exports them first or legal retention applies. |
| Consent and accepted-contract records | For the account lifetime and up to 6 years after closure to evidence lawful processing and accepted terms. |
| Privacy/data subject requests | Up to 3 years after request closure to evidence response and compliance. |
| Security, audit and application logs | Normally up to 12 months; longer where needed to investigate abuse, fraud, security incidents or legal claims. |
| Incident register and breach records | Up to 6 years after closure, or longer where required by law or active proceedings. |
| Support and complaint messages | Up to 3 years after closure unless the user requests earlier deletion and no legal/security reason requires retention. |
| Billing and financial documents | Not created during Open Beta. When paid billing launches, retained for statutory accounting/VAT periods and isolated from account deletion. |
Operational notes
- Backups may retain deleted data temporarily until normal backup rotation completes.
- Access to retained records should be restricted to authorised staff.
- Where a legal hold, security investigation or dispute exists, retention may be extended until the matter is resolved.
- Before production release, exact statutory periods must be reviewed against the final legal entity and jurisdictions served.
Home · Privacy · Terms · Consent · Processors · Legal notice